Re: [pfSense Support] Filter Rules for OpenVPN connections

Tue, 20 Oct 2009 07:14:05 -0700 

Hi All

I upgraded to 1.2.3 RC3 today.
I'm now able to crate an interface on my tun1 for the OpenVPN, after a reboot the coneection is working. 

But the filter rules don't work.


Based on the description i set the interface to a bridging interface to 
my LAN, but that way the network connection works but a deny everithing 
rule does not work nor log something.



Then i changed the interface to non bridging with an ip of 192.168.15.1 
(which is the ip of tun1) also here network connection is fine, but 
filter rules don't work.


What am i doeing worng?

cheers
Andi

Joseph L. Casale wrote:

We have several Road Warrior stile open VPN Users. Today they are
directly routed to the LAN interface without any Filter Rules.
New security policies request that we restrict some of the OpenVPN Users.

It's a bit unclear to me how this can be done.

    


Create an OPT interface (do not assign this to a vlan, assign it to a
persistent tun interface). The notion of vlan provides nothing here, also
needs to be assigned to the persistent tun device here.


  

- Based on their CN we assign them fix ip adresses.
- We understand that we can do outgoing rules on the LAN interface

    


Setup the OpenVPN connection to hand out a unique range of IP's such as
192.168.100.0/24. Also setup a Custom Option of "dev tun0" for example
(This gets assigned to the OPT interface *after* you save the vpn config
and it is created).

Setup a Client-specific Config that hands out a unique block of that above
reserved space, like:

Common name: jcasale
Interface IP: 192.168.100.4/30
Some Ops if you need them, like: push "route 192.168.1.0 255.255.255.0"

Common name: jdoe
Interface IP: 192.168.100.8/30
Some Ops if you need them, like: push "route 192.168.10.0 255.255.255.0"

Common name: fbar
Interface IP: 192.168.100.12/30
Some Ops if you need them, like: push "route 192.168.10.0 255.255.255.0"


  

But how can we do incoming rules for those users, is it possible to
create an interface to assign the rules for them?

    


Now, setup rules on the outbound side of the OPT interface allowing
192.168.100.4/30 access to whatever it needs.

HTH,
jlc

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Commercial support available - https://portal.pfsense.org


  


--























					Reply via email to